Skip to main content

Vulnerability Disclosure Policy

Introduction

This document serves as Chintai's Vulnerability Disclosure Policy (referred to hereinafter as the "Policy"). It outlines our commitment to providing exceptional service to our customers and reflects our willingness to collaborate with the community to ensure the highest standards of security.

Scope

This policy applies to all subdomains of http://chintai.io and http://chintainexus.com.

Responsible Disclosure Guideline

To ensure the security of Chintai products and the safety of our customers, reporters must adhere to the following guidelines when submitting details on potential security vulnerabilities:

  • Share the security issues confidentially with Chintai.

  • Include detailed information to the report for proper evaluation.

  • Do not publish any information without Chintai's explicit guidance and consent.

  • Do not access or modify user data; only interact with your own or test accounts during research.

  • Notify Chintai immediately if you encounter any end-user data. Do not view, alter, save, store, transfer, or otherwise access the data, and delete any local copies immediately.

  • Act in good faith to avoid any violation of the law, destruction of data or interruption of service.

  • Ensure compliance with all applicable laws.

We will not negotiate under duress or threat. We will not negotiate under threat of withholding the vulnerability or under threat of public disclosure of the vulnerability or exposed data.

Reporting a Security Vulnerability

If you believe you've discovered a potential security vulnerability in any subdomain of http://chintai.io and http://chintainexus.com, we strongly encourage you to report it according to this Policy to the following email address: security@chintai.io and provide the following details:

  • Technical description of the issue.

  • Detailed steps to reproduce and/or sample code used to exploit the vulnerability.

  • Contact information and optional name for acknowledgments.

Excluded Submission Types

The following issues are outside the scope of this Policy:

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

  • Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited.

Vulnerability Disclosure Process 

Upon receiving a report, our security team will evaluate its validity and impact, providing feedback to the reporter.

We will collaborate with the reporting party to validate vulnerabilities, gather additional information, and provide regular updates. All information is handled confidentially, with limited internal distribution. Reporters are also expected to maintain confidentiality until remediation is complete.

Once vulnerability is confirmed and addressed, Chintai will inform the reporter of the resolution and may seek further validation. We share results, including acceptance, severity, timelines, resolution, and disclosure plans, and address any concerns in good faith.

Rewards

Chintai offers rewards for reporting vulnerabilities, with amounts varying based on the impact and quality of the report. The bounty ranges are as follows: 100 USD for low impact, 1,000 USD for medium, 3,000 USD for high, and 5,000 USD for critical vulnerabilities. These amounts are indicative and subject to change based on our discretion.

Compliance with program rules is mandatory for eligibility, and only the first reporter of an issue qualifies.

Chintai does not publicly acknowledge or offer rewards to its employees, contractors, subsidiaries, service providers, or related parties for the discovery of vulnerabilities.

Severity Determination

Vulnerabilities are rated by their impact to the confidentiality, integrity and availability of Chintai platform.

Critical

Critical vulnerabilities are those that result in the compromise of large amounts of sensitive user data, mass account takeover, or significant disruption to platform availability.

Examples of critical vulnerabilities include:

  • System-wide compromise, affecting multiple users or core functionality.

  • Unrestricted access to sensitive user data.

  • Bypassing authentication, allowing attacker to fully assume user identities.

  • Escalating privileges to an administrative level, granting complete system control.

High

High-rated vulnerabilities are those that allow unauthorised actions that impact individual users, such as impersonation, unauthorised access, or partial privilege escalation.

Examples of high vulnerabilities include:

  • Identity takeover, enabling an attacker to act as another user.

  • Bypassing authorisation controls, allowing unauthorised access to sensitive user data.

  • Performing admin-level actions without full administrative control.

Medium

Medium-risk vulnerabilities allow an attacker to conduct limited actions on behalf of another user without their permission, without immediate financial impact or access less-sensitive information.

Examples of medium vulnerabilities include:

  • Conducting actions on behalf of other users, without immediate financial impact or sensitive data compromise.

  • Exposing non-sensitive user data, such as metadata, without direct security or financial impact.

  • Redirecting users to unintended locations without their knowledge.

Low

Low-risk vulnerabilities are typically vulnerabilities that result in unintended behaviour rather than direct security breaches.

Examples of low vulnerabilities include:

  • Exploiting browser-based weaknesses, requiring user interaction.

  • Manipulating UI elements, causing minor unintended effects.

  • Bypassing minor security controls, leading to inconvenience but no significant impact.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close